Professional Documents
Culture Documents
Version: 1.0.0
1
Chapter 1
• Introduction
• Deployment Architecture
Introduction
This document is intended to provide overall App Specification for the QRadar App built for Symantec
Inc. It contains details of step by step guide to install, setup & configuring Symantec Email Security
App for QRadar.
Deployment Architecture
IBM QRadar SIEM is a network security management platform that provides situational awareness
and compliance support. It collects, processes, aggregates, and stores network data in real time. IBM
Security QRadar SIEM (Security Information and Event Management) is a modular architecture that
provides real-time visibility of your IT infrastructure, which you can use for threat detection and
prioritization.
Symantec Email Security App for QRadar utilizes the power of IBM QRadar and provides you a
seamless experience for Email Security and phishing by collecting data from Symantec Email
Security.Cloud.
Below is the topology of data collection from Symantec Email Security.Cloud to QRadar.
2
Figure 1: Symantec Email Security.Cloud Integration with IBM QRadar
Symantec Email Security.Cloud is a comprehensive, cloud-based service that safeguards your email
while strengthening the built-in security of cloud-based productivity tools such as Office 365 and G
Suite. It blocks new and sophisticated email threats such as spear phishing, ransomware, and
Business Email Compromise with the highest effectiveness and accuracy through multi-layered
detection technologies and insights from the world’s largest civilian threat intelligence network.
Note: Email App for QRadar uses an external API call to locate the IP addresses based on Geo
Code. App needs to have access to public domain to access this data.
3
Chapter 2
App Architecture
This chapter includes the following topics:
• App Architecture
o Data Collection
o Log Sources
o Log Source Types
▪ Custom Property Extraction
▪ Event Mappings
▪ Dashboard Queries
o Visualizations
▪ Overview Dashboard
▪ Trends Dashboard
▪ Investigation Dashboard
▪ Email Threats
App Architecture
Data Collection
The app use REST API calls to onboard data from Symantec Email Cloud server for core services
and Amazon AWS for Email Phishing Data. The application contains python scripts, which makes
REST calls to mentioned APIS. These scripts are run on user-defined schedule.
QRadar parses received data using suitable Log source. The log source is made up of two
components:
• APIs
APIs used for fetching data are:
4
3. Symantec Email Phishing:
HOST = s3.amazonaws.com
BUCKET_NAME = customers.securitytraining.io
• Protocol
It defines how data gets into QRadar. Symantec Email Security App for QRadar used
TCP Syslog protocol for indexing events in QRadar.
Log Sources
Symantec Email App for QRadar creates 3 log sources called “Symantec Email ATP, Symantec Email
Core and Symantec Email Phishing” automatically when the app is installed. This log source will
identify all events that are coming to QRadar with this log source because all events have log source
identifier as follows:
Event Mappings
An event mapping represents an association between an event ID and category combination and a
QID record (referred to as event categorization). Event ID and category values are extracted by DSMs
from events and are then used to look up the mapped event categorization or QID. These events are
mapped to specific High level and low level category.
All events are categorized into High-level and Low-level categories. These categories are pre-defined
by QRadar. For all events from Symantec Email Security App, the High-level category is "Application"
while the Low-level category is "Mail”
5
Symantec Email ATP
This log source types includes the event mappings for Symantec Email ATP APIs as mentioned in
Data Collection section.
6
Visualizations
All the dashboards consist of individual panels which plot specific metric related to the events from
Symantec Email Security.Cloud server. The data in all dashboards is populated from 2 log sources:
Symantec Email ATP and Symantec Email Core. All the dashboards allow the user to filter events by
time.
Overview Dashboard
This dashboard is built to provide overall visibility into Symantec Email deployment. It gives count of
Total Email Scanned, Total Inbound Emails, Total Outbound Emails etc. Filters used for this dashboard
are Time Range, Domain Name and Account Name.
7
Trends Dashboard
This dashboard is built to provide list of senders, receivers, subjects, etc. which are on the top sorted
by unique count (for both Inbound and Outbound). It gives table view of Inbound Email Traffic - Top 10
Recipients, Inbound Email Traffic - Top 10 Senders, Inbound Email Traffic - Top 10 Subject etc. Filters
used for this dashboard are Time Range, Service and Account Name.
8
Investigation Dashboard
This dashboard is built to provide list of Top 1000 Investigations sorted on the basis of Time. Filters
used for this dashboard are Time Range, Service, Sender, Recipient, Subject, Sender IP and
Account Name.
9
Email Threats
This dashboard is built to provide visibility to Top Spam Detections and Top 10 Countries – Malware.
Filters used for this dashboard are Time Range and Account Name.
10
Chapter 3
Below is a list of requirements needed to run Symantec Email app v1.0.0 on QRadar
• Symantec Email App Bundle (v1.0.0)
• QRadar version: 7.2.8 Patch 10 and above
• Access to Symantec Email Endpoint
• Symantec Email Credentials for both AWS as well as Cloud.
Installation
The application installation requires access to QRadar console machine via a web interface. The web
interface can be accessed via https://<<QRadarconsoleIP>>/. The installation process is as follows:
a. Login to QRadar console
11
Figure 6: IBM QRadar 7.3.1 login screen
12
QRadar Configuration
IBM QRadar has a default setting for payload length. The term "Payload" is defined as the raw event
that is being forwarded as TCP/UDP syslog messages to QRadar. So, the default setting is 4096
bytes per event. But in Symantec Email Security there are few events that exceed that limit which
results in the truncated payload that hinders custom property extractions for that particular event.
Following are few simple steps to increase the payload limit to 12000 bytes:
4. Settings window pop out. Now switch to Advanced view to unlock more settings.
13
5. Now find this option Max TCP Syslog Payload Length and update its value to 12000 from
6. Now near to Deploy Changes button there is an Advanced drop-down. In that first click on
Deploy Full Configuration and then click on Restart Event Collection Services.
7. After that, the payload length gets updated and now you can configure Symantec Email
Security App for data collection.
App Configuration
After completing the installation, you must complete the configuration to start the data collection.
14
The setup process for configuring is as follows:
● Find the installed app on Admin Panel under Apps as shown in fig.
15
Note: The app supports multiple accounts for Cloud configuration and only single account for
Phishing configurations.
16
● Configure your Symantec Email cloud credentials (For NDF (ATP) data and Core data )
and your Symantec Email phishing credentials (For Phishing data) and your data collection
will start.
● Save credentials can be found in the table below where you can edit/delete the same.
● You can set proxy to fetch data from Symantec Servers.
17
Figure 17: User Role
18
Uninstalling the Application
Symantec Email QRadar v1.0.0 supports all its functionalities on QRadar cloud.
Chapter 4
Troubleshooting
This chapter includes the following topics:
• Troubleshooting
o Case #1 - App configuration fails with various error messages
o Case #2 – Data is not getting collected in the app
o Case #3 – UI related issues in the app
o Case #4 – Events are coming as Unknown in App Log Source
o Case #5 – All other issues which are not a part of the document
Troubleshooting
This section describes the common issues that might happen during the deployment or the running of the
app and the steps to resolve the issues.
Problem: New configuration fails with error message “Same configuration already exists. Please try
different username”. Below is a screenshot for quick reference.
Problem: New configuration fails with error message “Authentication failed for cloud service. Please enter
correct credentials”. Below is a screenshot for quick reference.
Troubleshooting Steps: This happens when user has entered wrong credentials so authentication failed
while saving new configuration. User is recommended to check the credentials and try again
Problem: New configuration fails with error message “Something went wrong. Please check logs for
more details”. Below is a screenshot for quick reference.
Troubleshooting Steps: This happens when user has entered wrong credentials so authentication failed
while saving the configuration. User is recommended to follow the troubleshooting steps as mentioned in
Case #5.
Problem: Configuration of Symantec Email fails with error message “No connection could be made. The
target machine refused it.”. Below is a screenshot for quick reference
Troubleshooting Steps: This happens when there is connection issue while connecting to Symantec
Email Security.Cloud instance. User is recommended to check the connectivity or firewall rules on the
QRadar machine.
Problem: Configuration of Symantec Email fails with error message “Authentication failed for the new
credentials in cloud service”. Below is a screenshot for quick reference
Figure 23: Incorrect credentials while updating configurations error
Troubleshooting Steps: This happens when user has entered wrong credentials so authentication failed
while updating the configuration. User is recommended to check the credentials and try again.
Problem: New configuration of Symantec Email fails with error message “Updating the configuration
failed”. Below is a screenshot for quick reference
Troubleshooting Steps: This happens when updating the configuration in the file. User is recommended
to follow the troubleshooting steps as mentioned in Case #5.
Problem: New configuration of Symantec Email fails with error message “Authentication failed for
phishing service. Please enter correct credentials”. Below is a screenshot for quick reference
Troubleshooting Steps: This happens when user has entered wrong credentials so authentication failed
while saving new configuration. User is recommended to check the credentials and try again
Problem: Configuration of Symantec Email fails with error message “Authentication failed for the new
credentials in phishing service”. Below is a screenshot for quick reference
Figure 26: Incorrect credentials while updating configurations error
Troubleshooting Steps: This happens when user has entered wrong credentials so authentication failed
while updating the configuration. User is recommended to check the credentials and try again.
Problem: Any dashboard panel, configuration pages, charts shows errors or unintended behavior.
Troubleshooting Steps:
1. Clear the browser cache and reload the webpage
2. Try reducing the time range of the filter and retry. It has been seen that QRadar queries expire if
too much data is being matched in the query.
3. In Email Threats, if Top 10 Countries – Malware panel shows No data and on running the
dashboard query of the above panel in Log Activity shows the results, then user is recommended
to check whether http://geoip.nekudo.com/api/<<ip_address>> API is blocked or not for their
QRadar instance (since we are using above API to map the countries with their respective IP
address)
Troubleshooting steps:
1. Go to Log Activity.
2. Add Filter Log Source [Indexed] Equals Any of
a. Symantec Email ATP
b. Symantec Email Core
c. Symantec Email Phishing
3. Select Last 7 Days in Views filter.
4. If any events come as Unknown,
a. Right click on that particular event.
b. View in DSM editor.
c. Check the value of Event ID, Event Category and Event Name under Log activity Preview
d. If Event ID and Event Category value is extracted properly and Event Name value comes
as unknown, create support ticket with Symantec Support.
Case #5 – All other issues which are not part of the document
Problem: If the problem is not listed in the document, please follow below steps.
_End of Document _